Simple password guidance from the NCSC

14th February 2017

The NCSC has published a set of guidelines helping businesses develop a well-structured, useable, password policy for employees. Unlike many attempts at encouraging SMEs to improve their password security, the NCSC’s approach doesn’t involve mandating changes to randomly-generated strings of characters every 30 days. Instead it recommends taking a more holistic view of password management and takes a fresh look at the issues.

Why passwords fail

Passwords have become ubiquitous in the internet world. Every online service requires security, and passwords are considered the simplest way of authenticating users.

Unfortunately, the proliferation of services means people either have to a)remember numerous different passwords, or more likely, b) use similar information for multiple services. As a point of evidence, a Scottish NHS survey found 63% of users admitted re-using details.

A technical response is to enforce the use of ‘strong’ passwords. In this context, ‘strong’ normally means a mix of numbers, letters, capitals, symbols, and avoiding common words. This is seen as making individual passwords more secure, but has the big downside of making them less memorable. Being less memorable also means they are likely to be re-used across different services.

Reusing passwords invariably means getting one password, suddenly gives you access to multiple services. So the security of your organisation’s Office 365 cloud storage could be compromised because an employee used the same password to log into Facebook.

Avoiding password fails

The NCSC advice walks you through an understanding of how passwords are uncovered, and the relative merits and pitfalls of different password approaches. Handily you can download an infographic to print and hang up in the IT managers office.

Highlights of the guidance include:

Remember to change default password on infrastructure. The Carna Internet Census (2012) estimated there were ‘several hundred thousand’ unprotected devices which has been harvested by the Carna botnet just because they had been left with default passwords in place. Is your office router still using the factory-set username and password?

Give employees tools and instructions for how to manage multiple passwords. Options include password-manager software or physically secure location (such as a sealed envelope in a locked draw with only one key) that lists current passwords

Ask whether you need passwords? The fewer passwords people have to remember the better. Can you combine services behind one password, or find alternative ways of authorising users. Mobile phones used to rely on four-digit passwords, now they use fingerprint recognition to unlock access

Consider replacing mandatory password changes every x days with better monitoring of logins to identify unusual activity. Then notify the user and lock-down the account until the employee has confirmed their identity. For example, if a user logs in from Manchester, then 10 minutes later logs in from London it’s clear a security breach has taken place

Don’t force users to type in random characters and numbers. Instead block common passwords, educate users on how to think up uncommon, but easy to remember passwords (a good approach is to use multiple words strung together like ‘dogcatmonkeyhouse’)

Focus security efforts on particular users. Remote employees, managers, and administrators are clear examples of users who need higher security than desk-based office-bound staff. Be flexible in your approach to passwords for these different groups.